Report of Aadhaar software hacking incorrect, baseless: UIDAI

AADHAR (Photo: Twitter Official Page)


The Unique Identification Authority of India (UIDAI) on Tuesday dismissed a news report claiming that a software patch compromised the identity database of Aadhaar which disables critical security features of the software used to enrol new Aadhaar users.

In a statement issued later in the day, the UIDAI said that the report is “completely incorrect and irresponsible”.

The Government of India agency responsible for implementing the Aadhaar scheme said that the reported claim of “anybody is able to create an entry into Aadhaar database, then the person can create multiple Aadhaar cards” is completely false.

“The claims lack substance and are baseless. UIDAI further said that certain vested interests are deliberately trying to create confusion in the minds of people which is completely unwarranted,” said the UIDAI.

Rejecting the claims over Aadhaar’s vulnerability that leads to ghost entries in database and generation of multiple Aadhaar cards as baseless, UIDAI said that “the report itself accepts that ‘it (patch) doesn’t seek to access information stored in the Aadhaar database’”.

UIDAI said that the agency matches all the biometric (10 fingerprints and both iris) of a resident enrolling for Aadhaar with the biometrics of all Aadhaar holders before issuing the identification card.

“All necessary safeguard measures are taken spanning from providing standardised software that encrypts entire data even before saving to any disk, protecting data using tamper proofing, identifying every one of the operators in ‘every’ enrolment identifying every one of thousands of machines using a unique machine registration process, which ensures every encrypted packet is tracked,” said UIDAI.

The agency said that the “no operator can make or update Aadhaar unless resident himself give his biometric”.

UIDAI said that it is not possible to introduce ghost entries into Aadhaar database because it checks enrolment operator’s biometric and other parameters before processing of the enrolment or updates.

But even if a ghost enrolment/update packet is sent to UIDAI, “the same is identified by the robust backend system of UIDAI, and all such enrolment packets get rejected and no Aadhaar is generated”.

“If an operator is found violating UIDAI’s strict enrolment and update processes or if one indulges in any type of fraudulent or corrupt practices, UIDAI blocks and blacklists them and imposes financial penalty upto Rs 1 lakh per instance,” said the agency adding that over 50,000 operators have been blacklisted.

The agency said that it gave “adequate responses” to similar allegations made before the Supreme Court during hearing of the Aadhaar case.

UIDAI also said that people should approach only the authorised Aadhaar enrolment centres in bank branches, post offices and Government offices for their enrolment or updation the list of which is is available on UIDAI website.

Earlier today a report published by Huffington Post claimed that a software patch, which allows unauthorised people to generate Aadhaar numbers at will, is widely being used.

The report said that an unauthorised person from anywhere in the world can generate Aadhaar ID using the patch, which is easily available for Rs 2,500.

Read More: Aadhaar software hacked, database compromised, claims report

The patch, which is a bundle of code used to alter the functionality of a software programme, reportedly, lets a user bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers.

Following the report, the Congress said that the sanctity of the unique identification system was jeopardised.

“The hack of the Aadhaar enrolment software jeopardises the sanctity of the Aadhaar database. We hope the authorities will take the appropriate moves to secure future enrolments and verify the suspect enrolments,” a tweet from the official handle of the Congress read.